USAP framework forces AI security tools to cite verifiable evidence for every verdict
A developer has built USAP, an open-source AI security analysis framework, to address a core flaw in existing LLM-based security tools: the inability to distinguish correct verdicts from confidently wrong ones. USAP enforces an output contract requiring every security verdict to include at least one resolvable evidence reference, rejecting vague citations like 'the SIEM showed it' at the contract boundary. The system supports live MCP sources, external references such as CVEs, operator artifacts, and in-repo standards, and degrades gracefully to an UNKNOWN status rather than fabricating data when a source is unavailable. Metrics like CVSS scores and EPSS ratings are computed directly from published vectors and live feeds, with the contract rejecting any figures that contradict their cited sources. Released under the Apache-2.0 license, USAP runs as an MCP server or as system prompts and ships with a benchmark corpus covering real incidents like Log4Shell and MOVEit to enable objective performance evaluation.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in